|Cyber Essentials is a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. |
With Cyber Essentials, you can prevent around 80% of cyber-attacks. (HM Government 2016)
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organisations protect themselves against common online security threats.
Why do I need Cyber Essentials?
• Reassure customers that you take cyber security seriously
• You will be listed on the Directory of organisations awarded Cyber Essentials
• Attract new business with the promise you have cyber security measures in place
• The scheme will also increase your opportunities within the private sector as it is required for UK Government contracts that involve the handling of personal and sensitive information.
Use a firewall to secure your Internet connection
You should protect your Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks.
In the simplest case, this means between your computer (or computers) and ‘the Internet’. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge). Or, if you have a more complicated set up with many different types of devices, you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall which could be used in this boundary protection role. But this can’t be guaranteed.
Cyber Essentials Certification requires that you configure and use a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks.
Choose the most secure settings for your devices and software
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease. Check the settings So, you should always check the settings of new software and devices and where possible, make changes which raise your level of security. For example, by disabling or removing any functions, accounts or services which you do not require.
Use passwords: Your laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected. Passwords – when implemented correctly – are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy to remember and hard for somebody else to guess. The default passwords which come with new devices such as ‘admin’ and ‘password’ are the easiest of all for attackers to guess. So you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device.
Extra Security For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
Cyber Essentials Certification requires that only necessary software, accounts and apps are used. If you would like more information on choosing passwords, Choose the most secure settings for your devices and software
Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Administrative accounts Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
Access to software Another simple and effective way to ensure your devices stay secure and malware-free is to only use software from official sources. The easiest way to do this is to only allow your users to install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled. Control who has access to your data and services
Protect yourself from viruses and other malware
Malware is short for ‘malicious software’. One specific example is ransomware, which you may have heard mentioned in the news. This form of malware makes data or systems it has infected unusable until the victim makes a payment. Viruses are another well-known form of malware. These programs are designed to infect legitimate software, passing unnoticed between machines, whenever they can.
Where does malware come from? There are various ways in which malware can find its way onto a computer. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware.
How to defend against malware Anti-malware measures are often included for free within popular operating systems. For example, Windows has Defender and MacOS has XProtect. These should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer.
Smartphones and tablets should be kept up to date, password protected and where possible, you should turn on the ability to track and erase lost devices. If you can avoid connecting to unknown wi-fi networks, this will help to keep your devices free of malware too.
Whitelisting: can also be used to prevent users installing and running applications that may contain malware. The process involves an administrator creating a list of applications allowed on a device. Any application not on this list will be blocked from running. This is a strong protection as it works even if the malware is undetectable to anti-virus software. It also requires little maintenance.
Sandboxing: Where possible, use versions of the applications that support sandboxing. For instance, most modern web browsers implement some form of sandbox protection. A sandboxed application is run in an isolated environment with very restricted access to the rest of your device and network. In other words, your files and other applications are kept beyond the reach of malware, if possible. If you would like to learn more about preventing malware, the NCSC has guidance which you may find useful.
Cyber Essentials Certification requires that you implement at least one of the approaches listed above to defend against malware. Protect yourself from viruses and other malware
Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Happily, doing so is quick, easy, and free. Also known as ‘Patching’ Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Applying these updates is one of the most important things you can do to improve security.
Operating systems, programmes, phones and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released. However, all IT has a limited lifespan. When the manufacturer no longer supports your hardware or software and new updates cease to appear, you should consider a modern replacement.
Cyber Essentials Certification requires that you keep your devices, software and apps up to date. Keep your devices and software up to date